I have looked «everywhere» , but have not been able to find an answer to the following question:
I am currently implementing Guest Access on our Wired L2 switches. In our network we mainly use the following types of L2 switches:
- C3560CX
- C3800
- C9200CX
- C9300
For the two first mentioned switch types, a local L3 interface in required as part of the switch configuration in order for the WEB redirect functionality to work, but to our surprise this interface is not needed on the last two mentioned types (C9200CX and C9300).
On C3560CX and C3850 we use the following L3 interface setup in order to get the WEB redirect to work:
ip access-list extended Guest-Redirect-Interface-Lockdown
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.0.15.255
deny ip any 192.168.0.0 0.0.255.255
permit tcp any any eq www
deny ip any any
!
interface Vlanxxx
description Guest-Redirect-Interface
ip address 172.16.0.1 255.240.0.0
ip access-group Guest-Redirect-Interface-Lockdown in
Vlan XXX is our Guest VLAN and is the VLAN that the interface is attached to via the Authorization Profile sent from ISE via RADIUS.
All of our guest network subnets are within the 172.16.0.0/12 block.
We are struggling to understand which switch types that needs this additional configuration and which types that do not. I cannot find any documentation describing it.
Clearly this is not bound to the OS type since a C3850 running IOS-XE needs the local interface and the C9200CX and C9300, that also are based on IOS-XE, works without needing this additional configuration.
For security reasons we would obviously like to avoid the local L3 interface all together, if possible.
Does anyone know? Many thanks in advance!
